|
|
(96 intermediate revisions by 9 users not shown) |
Line 1: |
Line 1: |
− | = DRAFT CHEAT SHEET - WORK IN PROGRESS = | + | __NOTOC__ |
| + | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | |
− | = Introduction =
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
| | | |
− | This cheat sheet provides a checklist of tasks to be performed when performing a blackbox security test of a web application.
| + | An [https://github.com/OWASP/CheatSheetSeries/issues/13 open discussion] is pending about to exclude or not this cheat sheet of the V2 of the project. |
− | | |
− | = Purpose =
| |
− | | |
− | This checklist is intended to be used as an aide memoire for experienced pentesters and should be used in conjunction with the [[:Category:OWASP Testing Project|OWASP Testing Guide]]. It will be updated as the [[OWASP_Application_Testing_guide_v4|Testing Guide v4]] is progressed.
| |
− | | |
− | The intention is that this guide will be available as an XML document, with scripts that convert it into formats such as pdf, Media Wiki markup, HTML etc.
| |
− | | |
− | This will allow it to be consumed within security tools as well as being available in a format suitable for printing.
| |
− | | |
− | It is currently at a very early stage, but any feedback or offers of help will be appreciated.
| |
− | | |
− | = The Checklist =
| |
− | | |
− | == Information Gathering ==
| |
− | * Manually explore the site
| |
− | * Spider/crawl for missed or hidden content
| |
− | * Check for files that expose content, such as robots.txt, sitemap.xml, .DS_Store
| |
− | * Check the caches of major search engines for publicly accessible sites
| |
− | * Check for differences in content based on User Agent (eg, Mobile sites, access as a Search engine Crawler)
| |
− | * Perform Web Application Fingerprinting
| |
− | * Identify technologies used
| |
− | * Identify user roles
| |
− | * Identify application entry points
| |
− | * Identify client-side code
| |
− | * Identify multiple versions/channels (e.g. web, mobile web, mobile app, web services)
| |
− | * Identify co-hosted and related applications
| |
− | * Identify all hostnames and ports
| |
− | * Identify third-party hosted content
| |
− | | |
− | == Configuration Management ==
| |
− | * Check for commonly used application and administrative URLs
| |
− | * Check for old, backup and unreferenced files
| |
− | * Check HTTP methods supported and Cross Site Tracing (XST)
| |
− | * Test file extensions handling
| |
− | * Test for security HTTP headers (e.g. CSP, X-Frame-Options, HSTS)
| |
− | * Test for policies (e.g. Flash, Silverlight, robots)
| |
− | * Test for non-production data in live environment, and vice-versa
| |
− | * Check for sensitive data in client-side code (e.g. API keys, credentials)
| |
− | | |
− | == Secure Transmission ==
| |
− | * Check SSL Version, Algorithms, Key length
| |
− | * Check for Digital Certificate Validity (Duration, Signature and CN)
| |
− | * Check credentials only delivered over HTTPS
| |
− | * Check session tokens only delivered over HTTPS
| |
− | * Check if HTTP Strict Transport Security (HSTS) in use
| |
− | == Authentication ==
| |
− | * Test for user enumeration
| |
− | * Test for authentication bypass
| |
− | * Test for bruteforce protection
| |
− | * Test password quality rules
| |
− | * Test remember me functionality
| |
− | * Test for autocomplete on password forms/input
| |
− | * Test password reset and/or recovery
| |
− | * Test password change process
| |
− | * Test CAPTCHA
| |
− | * Test multi factor authentication
| |
− | * Test for logout functionality presence
| |
− | * Test for cache management on HTTP (eg Pragma, Expires, Max-age)
| |
− | * Test for default logins
| |
− | * Test for user-accessible authentication history
| |
− | * Test for out-of channel notification of account lockouts and successful password changes
| |
− | * Test for consistent authentication across applications with shared authentication schema / SSO
| |
− | | |
− | == Session Management ==
| |
− | * Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
| |
− | * Check session tokens for cookie flags (httpOnly and secure)
| |
− | * Check session cookie scope (path and domain)
| |
− | * Check session cookie duration (expires and max-age)
| |
− | * Check session termination after a maximum lifetime
| |
− | * Check session termination after relative timeout
| |
− | * Check session termination after logout
| |
− | * Test to see if users can have multiple simultaneous sessions
| |
− | * Test session cookies for randomness
| |
− | * Confirm that new session tokens are issued on login, role change and logout
| |
− | * Test for consistent session management across applications with shared session management
| |
− | * Test for session puzzling
| |
− | * Test for CSRF and clickjacking
| |
− | == Authorization ==
| |
− | * Test for path traversal
| |
− | * Test for bypassing authorization schema
| |
− | * Test for vertical Access control problems (a.k.a. Privilege Escalation)
| |
− | * Test for horizontal Access control problems (between two users at the same privilege level)
| |
− | * Test for missing authorization
| |
− | == Data Validation ==
| |
− | * Test for Reflected Cross Site Scripting
| |
− | * Test for Stored Cross Site Scripting
| |
− | * Test for DOM based Cross Site Scripting
| |
− | * Test for Cross Site Flashing
| |
− | * Test for HTML Injection
| |
− | * Test for SQL Injection
| |
− | * Test for LDAP Injection
| |
− | * Test for ORM Injection
| |
− | * Test for XML Injection
| |
− | * Test for XXE Injection
| |
− | * Test for SSI Injection
| |
− | * Test for XPath Injection
| |
− | * Test for XQuery Injection
| |
− | * Test for IMAP/SMTP Injection
| |
− | * Test for Code Injection
| |
− | * Test for Command Injection
| |
− | * Test for Overflow (Stack, Heap and Integer)
| |
− | * Test for Format String
| |
− | * Test for incubated vulnerabilities
| |
− | * Test for HTTP Splitting/Smuggling
| |
− | * Test for HTTP Verb Tampering
| |
− | * Test for Open Redirection
| |
− | * Test for Local File Inclusion
| |
− | * Test for Remote File Inclusion
| |
− | * Compare client-side and server-side validation rules
| |
− | * Test for NoSQL injection
| |
− | * Test for HTTP parameter pollution
| |
− | * Test for auto-binding
| |
− | == Denial of Service ==
| |
− | * Test for anti-automation
| |
− | * Test for account lockout
| |
− | * Test for HTTP protocol DoS
| |
− | == Business Logic ==
| |
− | * Test for feature misuse
| |
− | * Test for lack of non-repudiation
| |
− | * Test for trust relationships
| |
− | * Test for integrity of data
| |
− | * Test segregation of duties
| |
− | == Risky Functionality - File Uploads ==
| |
− | * Test that acceptable file types are whitelisted
| |
− | * Test that file size limits, upload frequency and total file counts are defined and are enforced
| |
− | * Test that file contents match the defined file type
| |
− | * Test that all file uploads have Anti-Virus scanning in-place.
| |
− | * Test that unsafe filenames are sanitised
| |
− | * Test that uploaded files are not directly accessible within the web root
| |
− | * Test that uploaded files are not served on the same hostname/port
| |
− | * Test that files and other media are integrated with the authentication and authorisation schemas
| |
− | == Risky Functionality - Card Payment ==
| |
− | * Test whether card number are stored
| |
− | * TBC
| |
− | == HTML 5==
| |
− | * Test Web Messaging
| |
− | * Test for Web Storage SQL injection
| |
− | | |
− | = Authors and primary contributors =
| |
− | | |
− | [[User:Simon Bennetts|Simon Bennetts]]<br/>
| |
− | [[User:Raesene|Rory McCune]] <br/>
| |
− | Colin Watson<br/>
| |
− | Simone Onofri<br/>
| |
− | | |
− | All the authors of theTesting Guide v3
| |
− | | |
− | = Other Contributors =
| |
− | | |
− | | |
− | = Related articles =
| |
− | | |
− | OWASP [[:Category:OWASP Testing Project|Testing Guide]]
| |
− | | |
− | Mozilla [https://wiki.mozilla.org/WebAppSec/Web_Security_Verification Web Security Verification]
| |
− | | |
− | {{Cheatsheet_Navigation}}
| |
− | | |
− | [[Category:Cheatsheets]] [[Category:OWASP_Breakers]]
| |